haproxy: update config (maxconn, nbthread, ssl)

Configuration changes:

- max connections adjusted
- ulimit-n disabled
- nbprocs removed
- nbthread added
- ssl params added

Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>

net/haproxy/files/haproxy.cfg

@@ -1,6 +1,6 @@
-# Example configuration file for HAProxy 2.0, refer to the url below for
+# Example configuration file for HAProxy, refer to the url below for
 # a full documentation and examples for configuration:
-# https://cbonte.github.io/haproxy-dconv/2.0/configuration.html
+# https://docs.haproxy.org/3.2/configuration.html
 
 
 # Global parameters
@@ -15,12 +15,14 @@ global
 	#log /dev/log local0 info
 
 	# Specifiy the maximum number of allowed connections.
-	maxconn 32000
+	maxconn 10000
 
 	# Raise the ulimit for the maximum allowed number of open socket
 	# descriptors per process. This is usually at least twice the
 	# number of allowed connections (maxconn * 2 + nb_servers + 1) .
-	ulimit-n 65535
+	# By default, it is automatically computed, so it is recommended
+	# not to use this option.
+	#ulimit-n 65535
 
 	# Drop privileges (setuid, setgid), default is "root" on OpenWrt.
 	uid 0
@@ -35,27 +37,55 @@ global
 	# Enable debugging
 	#debug
 
-	# Spawn given number of processes and distribute load among them,
-	# used for multi-core environments or to circumvent per-process
-	# limits like number of open file descriptors. Default is 1.
-	#nbproc 2
+	# Spawn given number of threads and distribute load among them,
+	# used for multi-core environments.
+	# On some platforms supporting CPU affinity, the default
+	# "nbthread" value is automatically set to the number of CPUs
+	# the process is bound to upon startup. The default value is
+	# reported in the output of "haproxy -vv".
+	#nbthread 2
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
 
 	# SSL/TLS configuration. You can use the Mozilla SSL Config
 	# Generator. See: https://ssl-config.mozilla.org/#server=haproxy
+	# intermediate configuration
+	ssl-default-bind-curves X25519:prime256v1:secp384r1
+	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+	ssl-default-server-curves X25519:prime256v1:secp384r1
+	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+	ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+	ssl-default-server-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+crt-store acme-certs
+	crt-base /etc/ssl/acme
+	key-base /etc/ssl/acme
+	# load crt "domain1.fullchain.crt" key "domain1.key" alias "domain1"
+	# load crt "domain2.fullchain.crt" key "domain2.key" alias "domain2"
+
 
 # Default parameters
 defaults
 	# Default timeouts
-	timeout connect 5000ms
-	timeout client 50000ms
-	timeout server 50000ms
+	timeout connect 5s
+	timeout client 50s
+	timeout server 50s
+	timeout check 5s
 
 
 # Example HTTP proxy listener
 listen my_http_proxy
 
-	# Bind to port 81 and 444 on all interfaces (0.0.0.0)
-	bind :81,:444
+	# Disable this instance without commenting out the section.
+	disabled
+
+	# Bind to port 8080 on all interfaces (0.0.0.0)
+	bind :8080
+	# bind :8443 ssl alpn h2,http/1.1 default-crt @acme-certs/domain1
 
 	# We're proxying HTTP here...
 	mode http